Why we need to be wary of USB attacks in industry | Stormshield

USB drives are a paradox for industry. They play leading role in how operational environments function, but can also cause incidents if they are managed or handled improperly. They are also one of the most coveted means of attack by cyber criminals. Here is a situational review of the ambivalent role of USB drives in the industrial world. Between operational effectiveness & necessity and intentional or accidental danger.

Even if they are relatively isolated, the industrial world and its operational networks with its factories, production sites, and automation must come to terms with the threat posed by USB drives. While we might be tempted to see it as a malicious threat only, it may also simply be a matter of chance. In fact, some industrial CISOs are more worried about the accidental introduction of malware that could jeopardise the production line via, for example, an employee’s USB drive that they had previously used in their personal life. It is hard to judge a person harshly who simply copied a seemingly harmless file onto their USB drive. And yet, it can happen.

So should industry therefore move away from USB drives? Is that conceivable for all branches of the sector? Can USB drives be replaced by alternative solutions that are appropriate for the operational infrastructure? How can we ensure a site’s IT security without slowing down or stopping production? There are so many questions and the issues inherent to industry are very real. Insights.


USB drives a necessity in OT

For all of those years when OT machines and workstations were not connected to the internet, USB drives were the preferred--sometimes the only--means of exchanging data. Furthermore, for a long time, people in industry have believed that the internet posed the biggest risk of cyber attacks rather than physical devices. USB drives therefore have historic value in OT, which tends to evolve and transform at a slower rate than IT. ‘OT has a lower-level focus and is applied in a context where the systems cannot be stopped or slowed down. In industry, therefore, the paradigm is the opposite of that used in other sectors: continuity and fluidity are prioritised over security. We prefer to take the risk of using USB drives rather than take the risk of blocking production’, explains Thierry Hernandez, the Global Account Manager at Stormshield.

In industry, we prefer to take the risk of using USB drives rather than take the risk of blocking production

Thierry Hernandez, Stormshield Global Account Manager

The inherent operating methods of the industrial world include that the people in charge of maintenance at industrial sites (for automated systems, sensors, and more) are external contractors who are not always able to connect to the network. USB devices, including drives, are vital for these integrators who use them for all sorts of operations such as installing updates and recovering saved copies or backups. However, there is nothing to guarantee to an industrial site that this type of action by third party companies is conducted with the same rigorous security standards as those followed by the company itself, which can lead to risks.

But choosing to forgo USB drives and this operating method in OT can prove to be particularly complex depending on the specific industrial sector in question. In so-called ‘heavy’ industry (such as the agri-food, steel, water, and chemical industries, among others), machines and workstations are not very connected and USB drives are essential for intervening on each workstation directly. But the practical nature of these USB devices is counterbalanced by the fact that they are a formidable vector of contamination.


USB drives as vectors of malware

A USB drive makes it possible to exchange any data and brings unknown elements into a network. This includes sensitive elements within an industrial site. Additionally, a USB drive does not go through all of the perimeter defences of a structure, arriving instead directly at a user workstation. ‘A USB drive can have anything on it and the negligence of users who do not have the instincts to check its contents before inserting it into a machine is commonplace and dangerous’, states Thierry Hernandez.

A USB drive can have anything on it and the negligence of users who do not have the instincts to check its contents before inserting it into a machine is commonplace and dangerous

Thierry Hernandez, Stormshield Global Account Manager

With the advent of Industry 4.0, factories are increasingly connected and therefore increasingly vulnerable to malware. For attackers, USB drives are a point of entry to gain access to a system and infect all or part of a network. There are many cyber risks, from production line blockage to the installation of malicious programs, remote espionage, or even data locking.

When it comes to malicious actions, critical industrial infrastructure are the targets of attacks and according to SANS, 56% of security incidents targeting them involve USB drives. Cyber criminals are increasingly inventive and creative and have used many forms of USB-based cyber attacks in the IT world. In 2005, the AutoRun feature, which Microsoft intended to automatically launch programs when a USB device was connected to a workstation, created the perfect opportunity for attackers. Simply plugging a device into the workstation could trigger the automatic execution of malicious applications or codes on the drive. In the early 2010s, the rubber ducky USB drive-based attack became a common means for cyber criminals to pirate IT systems. The PHUKD attacks (Programmable HID USB Keystroke Dongle) used the same ideas, imitating the activity of a keyboard or mouse. In 2014, the BadUSB hack appeared, exposing a flaw that some researchers considered critical for industrial control systems. Then 2017 was the year of the P4wnP1, a programme designed to conduct attacks using Raspberry Pi Zero and Raspberry Pi W. Several years later, it was Bash Bunny that made a splash. Then, much more recently, the USB Killer attack has been able to crash a machine in seconds just by plugging in the malicious drive to the targeted workstation.

Applied in the world of industry, these infection methods have led to many cases of cyber attacks. In 2017, critical infrastructure in the Middle East was targeted by Copperfield malware distributed by a USB drive at a workstation shared by several dozens of employees at the structure in question. Copperfield is a remote access Trojan (RAT) that specifically targets critical industries. As soon as the infected USB drive is connected to the workstation, the malware spreads, using the Windows Script Host to take control of the machine. That same year, in their report entitled ‘The Guidelines on Cyber Security Onboard Ships’, several actors in the maritime sector raised alarms about the risks related to USB drives for their industry. The report analyses many cyber attacks including two that were possible due to the use of USB drives. The first attack involved negligence or a lack of knowledge on the part of the crew. A member of the security team on a merchant marine vessel accidentally connected an infected USB drive to the ship’s IT system. The USB drive then spread the malware throughout the systems and the crew did not find out until several days later due to abnormal behaviours in those systems. Another example involves the core of a ship’s energy management system. IT service providers in charge of the ship’s systems detected dormant malware there. It was inactive because the device in question was not yet connected to the internet, but it would spread within the systems once connected to the network. Finally, much more recently, the automotive industry narrowly avoided what could have been a large-scale attack. In August, a Tesla employee was approached by a Russian cyber criminal who offered the modest sum of one million dollars to spread malware within the company’s IT systems using an infected USB drive. If the employee had not informed the FBI and foiled the attack, Tesla could have joined the long list of victims of USB drive attacks.

The world of industry finds itself caught between a rock and a hard place, needing to ensure sustained and fluid operational activity while also taking into account the risks of using USB drives within the company.


Securing or eliminating USB drives

To protect themselves and limit risks, some structures are relying on software solutions to control USB drives. The goal is to be able to continue using these external devices while strengthening control over the data being exchanged. ‘It is possible to use cyber security kiosk procedures to ensure secure use of USB drives within the company’, explains Adrien Brochot, Stormshield Product Manager. ‘It comes down to scanning the drive to ensure that there is no malware, but also to calculate the footprint of its content to know its current state and check it when it is connected to any workstation that needs protection. If the footprint has been changed, then the person needs to verify if those changes are authorised on an internal workstation that is also protected. If not, access is denied.’ Controlling and inspecting USB drives means excluding certain ones. In privileged settings, only authorised USB drives will be allowed for use. To secure the USB drives, endpoint security solutions may also be used. In any event, ensuring the reliability of a USB drive is particularly important for critical industrial workstations, especially those that perform supervision operations.

Some companies opt more for security policies with very restricted lists of authorised USB devices. In 2019, the French national information systems security agency (ANSSI) tackled the difficult subject of USB drives head on, presenting its open source project Wookey, intended to strengthen the security of work stations and specifically combat BadUSB-type attacks. Finally, structures simply banned the use of USB drives to reduce the risk of attacks, following in the footsteps of IBM and the American army.


Industry 4.0: A potential alternative to USB drives

Additionally, a new trend is emerging in OT to potentially replace USB drives by using servers like in IT, true spaces for file sharing or application flows.

We must have an alternative to USB drives before considering replacing them and increasing the connectivity capacity of a network can be a good option

Fabrice Tea, Schneider Electric Technical Director of Digital Transformation

The USB drive is, in some structures, much less used than previously and files are increasingly shared via the network. Network connections and telemaintenance could therefore be an interesting alternative to these devices. ‘Replacing USB drives with digital systems could save significant time and provide real user comfort. The people in charge of backups at industrial sites could, for example, save 3 to 4 days of work per month with a digital system’, explains Fabrice Tea, the Schneider Electric Technical Director of Digital Transformation, adding: ‘We must have an alternative to USB drives before considering replacing them and increasing the connectivity capacity of a network can be a good option’.


One point to note, however, is that the 4.0 approach is not generalised in Industry. Many facilities do not currently have it in place and interconnecting critical workstations can prove to be a sensitive cybersecurity issue for operational systems. By connecting workstations to one another and especially to the outside world, you create more potential areas of industrial infrastructure to attack. This is particularly true for small facilities that do not have the resources of large industrial actors. Publishers therefore have a key role to play in assisting organisations as they adapt to the culture of Industry 4.0 cyber.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
To address cyber threats to operational networks (OTs), which are on the rise with the deployment of Industry 4.0 (Cloud, Big Data, 5G, Internet of Things), Stormshield recommends a single, comprehensive approach. The aim is to ensure that networks function properly and that there is continuity of activity for all players: energy, transport, industry, health, etc.
In 2010, the world discovered Stuxnet. A malware that hit the PLCs in charge of the centrifuges of an Iranian uranium enrichment plant and which highlighted the vulnerability of industrial environments. Since this episode, which came from a small infected USB key, the cyber risk has been extended to the entire industrial world.
About the author
Vincent Nicaise Industrial Partnership and Ecosystem Manager, Stormshield

With his many years of professional experience, Vincent negotiates the cyber sphere with genuine commercial, marketing and technical gusto. A fan of street art, octopus and cybersecurity (not necessarily in that order), he is responsible for partnerships with the entire cyber-industrial ecosystem. A busy man indeed.